Health Care Data Breaches Affect 10 Million Patients Since Fall 2009

By Brian T. Horowitz |
Posted 2011-04-29

A list of data breaches by the Office for Civil
Rights in the U.S. Department of Health and Human Services reveals that more
than 10 million patients have been affected by security lapses in about 260
health care-related incidents reported since 2009.

The department
began compiling the list on Feb. 22, 2010, when the HITECH Act breach
notification rule was enacted. Section 13402(e)(4) of the rule requires health
care organizations to report breaches affecting more than 500 people within 60
days to HHS Secretary Kathleen Sebelius. HHS then adds the incidents to the
list on its Website.

Cases that
have been reported to HHS date back to Sept. 22, 2009.

The breach on
the HHS list impacting the most patients involved insurance provider HealthNet in Rancho Cordova, Calif. In that case,
about 2 million people were affected when nine server drives disappeared from
the company's data center on Jan. 21.

The
second-largest breach occurred when computer backup tapes were stolen from a truck
belonging to the North Bronx Healthcare Network in New York, placing the data
of 1.7 million patients, staff members and others at risk.

Meanwhile, HHS
has penalized organizations such as Massachusetts General Hospital and Cignet
Health for cases that violated HIPAA (Health Insurance Portability and
Accountability Act) privacy regulations.

A move toward
EHRs (electronic health records) or EMRs (electronic medical records) could be
to blame for the rise in security breaches, according to David Ting, CTO of
access-management vendor Imprivata.

"The
scale of breaches has risen exponentially along with the adoption of EMR
systems, and today hundreds of thousands of records containing electronic
patient health information can be stored in a device smaller than a lunch
box," Ting wrote in an email to eWEEK. "The idea of a breach on that
scale back in the paper-based days, whether through unlawful or simply
negligent behavior, was highly unlikely."

With about 260
cases reported to HHS, the potential for those affected could be more than the
number reported, according to Mac McMillan, CEO of health care security firm
CynergisTek and a former U.S. Defense Department intelligence officer.

"Traditionally
speaking, the number of instances of compromise have always been much lower
than the potential number of records/people who could have been affected,"
McMillan wrote in an email to eWEEK.

With data in
many of the health care breaches stored on ordinary flash drives or external
hard drives, employees often forget where they've stored sensitive data until
it's lost.

"Most
organizations do not have a handle on where all their PHI [personal health
information] is, let alone whether its location is appropriate or
necessary," McMillan explained. "This is where data-loss prevention
tools, for instance, are useful to perform that detailed discovery that permits
building that accurate PHI mapping," he said.

Completing the
mapping allows companies to establish rules to reduce the risk that the data is
stored on unauthorized devices.

To make data
more secure, health care organizations can choose products that provide single
sign-on, log-in management, hard drive encryption as well as real-time
inspection of packets and server management, according to Ting.

With workers
in health care organizations failing to encrypt sensitive data and not knowing
where they've stored the information, the resulting health care breaches could
be described as "self-inflicting wounds," McMillan said.

"Basically 67 percent of these incidents involve some
form of physical theft or loss of an IT asset, desktop, laptop, tape, server,
etc., that were not encrypted," he noted. "How many more do we
need to see before organizations re-evaluate their controls and consider
encryption a requirement?"